gh0strat | 08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2025, 08:47

Target

08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
Size

376KB
MD5

9b7268cad5fba0526815c4f0b174abe2
SHA1

443c188d5cc8f72a413ada01156682b789d249ab
SHA256

08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8
SHA512

7fe3c4aeb7f65e6e02cb446d9f0c4374bc24cac000e39582a2e680e21d2090f424e8a5abe834fe859d99b1982e64e6ec52e2fb05753f2f41a6e5f5c542cf26de
SSDEEP

6144:ROyLEbWaR5Cc/8JFmuy4ixRDDDDhVZGYzaQ:cUaWaR5v/6q7hZG

Score

10^/10

Family

gh0strat

127.0.0.1

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/4420-0-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe"	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4420	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
4420	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
4420	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
4420	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
4420	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
4420	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
3228	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
3228	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
3228	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
3228	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
3228	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
3228	08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5328 wrote to memory of 3228	5328	cmd.exe	88
PID 5328 wrote to memory of 3228	5328	cmd.exe	88
PID 5328 wrote to memory of 3228	5328	cmd.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5328
- C:\Users\Admin\AppData\Local\Temp\08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
  C:\Users\Admin\AppData\Local\Temp\08dea35cc0044a141f7509885d266dce877fb2ec5d0644e5a8c3bd8501a60bf8.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228